elDoc deployment steps on Rocky Linux 9 / RedHat Linux 9

Contents:

1. General assumptions

1.1. SELinux subsystem

This guide assumes that SELinux is disabled as such SELinux deployment steps are not covered. In case you need to keep SELinux enabled - please perform necessary adjustments according to your needs and follow the SELinux documentation.

In order to disable SELinux the followings steps are to be performed:

1) Edit file /etc/selinux/config

nano /etc/selinux/config

2) Locate line with SELINUX= parameter and set it as following

SELINUX=disabled

3) Save file, exit editor and execute command:

setenforce 0

1.2. Folders structure

It is assumed that installation will be performed in the directory /local.

The folder structure is the following:

\local
|–-elDoc
|–-java
|–-jmc
|–-mongo
|–-mongoData
|--tessData
|–-solr
|–-solrData


2. Java installation

dnf install -y https://cdn.azul.com/zulu/bin/zulu-repo-1.0.0-1.noarch.rpm
alternatives --remove-all java
dnf install -y zulu17-jre

ln -sfn /usr/lib/jvm/java-17-zulu-openjdk-ca/ /local/java

nano /etc/profile.d/java.sh

export JRE_HOME=/usr/lib/jvm/java-17-zulu-openjdk-ca
export PATH=$PATH:/usr/lib/jvm/java-17-zulu-openjdk-ca/bin

[root@eldoc.server.local /]# java -version
openjdk version "17.0.11" 2024-04-16 LTS
OpenJDK Runtime Environment Zulu17.50+19-CA (build 17.0.11+9-LTS)
OpenJDK 64-Bit Server VM Zulu17.50+19-CA (build 17.0.11+9-LTS, mixed mode, sharing)

mkdir /local/java && tar -xvzf zulu17.50.19-ca-jre17.0.11-linux_x64.tar.gz -C /local/java

ln -sfn /local/java/zulu17.50.19-ca-jre17.0.11-linux_x64/ /local/java/java_active

alternatives --remove-all java
alternatives --install /usr/bin/java java /local/java/java_active/bin/java 1

nano /etc/profile.d/java.sh

export JRE_HOME=/local/java/java_active
export PATH=$PATH:/local/java/java_active/bin

[root@eldoc.server.local /]# java -version
openjdk version "17.0.11" 2024-04-16 LTS
OpenJDK Runtime Environment Zulu17.50+19-CA (build 17.0.11+9-LTS)
OpenJDK 64-Bit Server VM Zulu17.50+19-CA (build 17.0.11+9-LTS, mixed mode, sharing)

3. MongoDB installation

3.1. MongoDB binaries installation

nano /etc/yum.repos.d/mongodb-org-7.0.repo

[mongodb-org-7.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://pgp.mongodb.com/server-7.0.asc

dnf install -y mongodb-org

dnf install -y libcurl openssl xz-libs

tar -xvf mongodb-linux-x86_64-rhel90-7.0.12.tgz -C /local/
mv /local/mongodb-linux-x86_64-rhel90-7.0.12/ /local/mongo
useradd -s/bin/bash -M -U mongod
chown -R mongod:mongod /local/mongo

3.2. Post-installation steps

• If SELinux is in enforcing mode, you must customize your SELinux policy for MongoDB:
  https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/#configure-selinux
  
  
• Disable Transparent Huge Pages (THP):
  https://docs.mongodb.com/manual/tutorial/transparent-huge-pages/
  
  
• Adjust system params:
  Edit file: nano /etc/sysctl.conf
  Add to the end of the file: vm.max_map_count=153600
Reboot server in order to settings get applied
  Check that settings applied, execute command: sysctl vm.max_map_count Output should be equal the value entered in the /etc/sysctl.conf file

3.3. Configuration and launch

1) Create MongoDB data directory by executing commands:

mkdir /local/mongoData && chown -R mongod:mongod /local/mongoData

2) Create MongoDB key-file:

openssl rand -base64 756 > /etc/mongod.key
chmod 400 /etc/mongod.key
chown mongod:mongod /etc/mongod.key

3) Create or edit MongoDB configuration file, which should look similar to the one provided below:

nano /etc/mongod.conf

systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

storage:
  dbPath: /local/mongoData

processManagement:
  timeZoneInfo: /usr/share/zoneinfo

net:
  bindIp: 127.0.0.1
  port: 27017

security:
  keyFile: /etc/mongod.key
# authorization: enabled

*Make sure that all paths are valid and have a read-write access for the mognod user.

4) Launch MongoDB Service by executing command:

systemctl start mongod

3.4. Users creation

1) Launch MongoDB shell

To launch MongoDB shell execute the following command: mongosh

In case of manually deployed MongoDB - you may need to download and extract MongoDB Database Tools. Assuming that Database Tools were extracted to the MongoDB bin directory, you may launch MongoDB Shell manually executing the command: /local/mongo/bin/mongo

2) Create root user in MongoDB

use admin
db.createUser( {user: "root", pwd: passwordPrompt(), roles: [{role: "root", db: "admin"}]} )

3) Create elDoc application user

Follow the pattern of the db-name as shown below. Suffix prd1 can be replaced respectively based on the deployment environment, e.g.: uat1, tst1, dev1, etc.

db.auth("root")
use eldoc_prd1
db.createUser( {user: "prd1", pwd: passwordPrompt(), roles: [{role: "dbOwner", db: "eldoc_prd1"}]} )

Where prd1 is an id of the elDoc DB user. Make sure that prd1 used during DB creation is the same as the one stated in the elDoc config file (eldoc.conf)

4) Securely write down logins, db-names and passwords

5) Enable MongoDB authentication

Open MongoDB configuration file and uncomment the following lines:

...
security:
  authorization: enabled  
...

6) Restart MongoDB service

systemctl restart mongod

3.5. Enable replication

1) Edit config file and add respective configuration property

nano /etc/mongod.conf

...
replication
  replSetName: rs0
...

2) Restart MongoDB after adjusting configuration and initialize replication

Login to the MongoDB shell and initialize replication:

mongosh
use admin
db.auth("root")
rs.initiate()

4. elDoc dependencies installation & configuration

4.1. IDP dependencies installation

1) Download and install TessData

mkdir /local/tessData && cd /local/tessData
wget -O tessdata_best-4.1.0.zip https://github.com/tesseract-ocr/tessdata_best/archive/4.1.0.zip
unzip tessdata_best-4.1.0.zip
rm -f tessdata_best-4.1.0.zip

2) Respective adjustment to be made in the eldoc.conf file.

idp.tessdata.path=/local/tessData/tessdata_best-4.1.0

4.2. Full-text search service installation 

NOTE: This component provides full-text search functionality and is optional for deployment

1) Install prerequisites

dnf install lsof

2) Download and extract Apache Solr software

cd /local/_distr
wget https://www.apache.org/dyn/closer.lua/solr/solr/9.6.1/solr-9.6.1.tgz?action=download -O solr-9.6.1.tgz
mkdir /local/solr && mkdir /local/solrData && mkdir /local/solrData/data && mkdir /local/solrData/logs
tar -zxvf solr-9.6.1.tgz -C /local/solr
ln -sfn /local/solr/solr-9.6.1/ /local/solr/solr
cp /local/solr/solr/server/solr/solr.xml /local/solrData/data/ && cp /local/solr/solr/server/solr/zoo.cfg /local/solrData/data/
cp /local/solr/solr/server/resources/log4j2.xml /local/solrData/

3) Deploy provided Solr Core configuration

cd /local/_distr && wget https://dms-solutions.co/downloads/configset_elDoc-v5.7.x_Solr-v9.0.x_v2.zip
unzip configset_elDoc-v5.7.x_Solr-v9.0.x_v2.zip
mv configset_elDoc-v5.7.x_Solr-v9.0.x/solrData/data/configsets /local/solrData/data/
rm -rf configset_elDoc-v5.7.x_Solr-v9.0.x

4) Create user for Solr service

useradd -s/bin/bash -M -U solr
chown -R solr:solr /local/solrData

5) Install Solr service

nano /etc/systemd/system/solr.service

[Unit]
Description=Apache Solr
After=syslog.target network.target

[Service]
Type=forking
User=solr
Restart=on-failure
LimitNOFILE=65000
LimitNPROC=65000
Environment="SOLR_INSTALL_DIR=/local/solr/solr"
Environment="SOLR_PID_DIR=/local/solrData/"
Environment="SOLR_HOME=/local/solrData/data"
Environment="LOG4J_PROPS=/local/solrData/log4j2.xml"
Environment="SOLR_LOGS_DIR=/local/solrData/logs"
Environment="SOLR_PORT=8983"
Environment="SOLR_MODULES=extraction"
Environment="SOLR_JAVA_MEM=-Xms512m -Xmx1g"
Environment="SOLR_REQUESTLOG_ENABLED=false"
Environment="SOLR_LOG_LEVEL=WARN"
PIDFile=/local/solrData/solr-8983.pid
WorkingDirectory=/local/solrData
ExecStart=/local/solr/solr/bin/solr start
ExecReload=/local/solr/solr/bin/solr restart
ExecStop=/local/solr/solr/bin/solr stop

[Install]
WantedBy=multi-user.target 

6) Enable and launch Solr service

systemctl daemon-reload && systemctl enable solr.service && systemctl start solr.service

4.3. Sync-service installation

NOTE: This component provides data synchronization capabilities between MongoDB and full-text search service and required to be installed only in case full-text search service was installed.

1) Download elDoc Java Mongo Connector

cd /local/_distr && wget https://dms-solutions.co/downloads/eldoc-jmc-1.6-service-distr.zip

2) Unzip and deploy required files

unzip eldoc-jmc-1.6-service-distr.zip
mv jmc /local/jmc && mv jmc.service /etc/systemd/system
mkdir /local/jmc/logs

3) Create system user and group for running synch service

useradd -s/bin/bash -M -U jmc

4) Create database user for sync service

mongosh
use admin
db.auth("root")
db.createUser( {user: "jmc", pwd: passwordPrompt(), roles: ["backup"]} )

Securely write down created user credentials

5) Adjust config and access rights for the config file as required

nano /local/jmc/config-eldoc.json

Adjust access rights for the sync service configuration

chmod 600 /local/jmc/config-eldoc.json
chown -R jmc:jmc /local/jmc/

6) Install and enable sync system service

Make necessary adjustments where required

chmod +x /local/jmc/jmc-service.sh
nano /etc/systemd/system/jmc.service

[Unit]
Description=elDoc Java Mongo Connector Service
After=syslog.target network.target mongod.service solr.service
Requires=mongod.service solr.service

[Service]
User=jmc
Type=forking
ExecStart=/local/jmc/jmc-service.sh
ExecStop=/bin/kill -s TERM $MAINPID
WorkingDirectory=/local/jmc
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

Once sync service configured you may launch it by executing the following command:

systemctl daemon-reload && systemctl enable jmc.service && systemctl start jmc

4.4. Document conversion service installation

NOTE: This component is optional and provides online preview and document auto-filling functionality.

1) Office conversion service installed using standard Linux package manager

dnf install -y libreoffice-base libreoffice-writer libreoffice-math libreoffice-calc libreoffice-core libreoffice-draw libreoffice-emailmerge libreoffice-graphicfilter libreoffice-impress libreoffice-opensymbol-fonts libreoffice-data libreoffice-ure libreoffice-ure-common libreoffice-pyuno libreoffice-filters libreoffice-ogltrans libreoffice-pdfimport libreoffice-xsltfilter libreoffice-langpack-en libreoffice-langpack-ru libreoffice-langpack-uk libreofficekit libreoffice-headless

After executing the command above required packages will be installed in the system and automatically picked-up by the elDoc system.

4.5. Reverse-proxy service installation

1) Add new repo

nano /etc/yum.repos.d/nginx.repo

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

2) Install nginx reverse-proxy

dnf install nginx

3) Remove default configuration file

rm -f /etc/nginx/conf.d/default.conf

4) Create configuration for elDoc server by pasting the following content into the /etc/nginx/conf.d/eldoc.conf configuration file

nano /etc/nginx/conf.d/eldoc.conf

IMPORTANT: adjust parameters like (server_name, ssl_certificate, ssl_certificate_key) as required according to your environment.

upstream eldoc {
    ip_hash;
    server localhost:8080 max_fails=1 fail_timeout=5s;
    #server node2.eldoc.local:8082 max_fails=1 fail_timeout=5s;
}

map $http_upgrade $proxy_connection {
  default   upgrade;
  ""        close;
}

map $cache $expires {
    1         30d;
    default   off;
}

map $cache $control {
    1         "public, no-transform";
}

map $uri $cache {
    ~*\.(ico|css|js|gif|jpe?g|png|tif?f|woff|ttf|otf|svg|woff2|eot)$    1;
}

server {

    listen                     443 ssl http2;
    server_tokens              off;
    server_name                eldoc.domain.com;

    ssl_certificate            /etc/nginx/cert/XXXXXX.crt;
    ssl_certificate_key        /etc/nginx/cert/XXXXXX.key;
    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_ciphers                HIGH:!aNULL:!MD5;

    client_max_body_size       100M;
    error_page                 404                 /404.xhtml;

    # Cahce control settings
    expires                    $expires;
    add_header                 Cache-Control       $control;


    location / {
        proxy_pass             http://eldoc/;
        proxy_connect_timeout  600;
        proxy_send_timeout     600;
        proxy_read_timeout     600;
        send_timeout           600;
        proxy_http_version     1.1;
        proxy_set_header       Upgrade             $http_upgrade;
        proxy_set_header       Connection          $proxy_connection;
        proxy_set_header       Host                $host:$server_port;
        proxy_set_header       X-Real-IP           $remote_addr;
        proxy_set_header       X-Remote-IP         $remote_addr;
        proxy_set_header       X-Forwarded-Host    $host;
        proxy_set_header       X-Forwarded-Server  $host;
        proxy_set_header       X-Forwarded-Proto   $scheme;
        proxy_set_header       X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header       Proxy-IP            $remote_addr;
        proxy_set_header       Proxy-keysize       256;
    }
}

5) Adjust default nginx config file and remove default server blocks, minimal content of the file is provided below

nano /etc/nginx/nginx.conf

user nginx;
worker_processes 1;

error_log   /var/log/nginx/error.log;
pid         /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream; 

     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include /etc/nginx/conf.d/*.conf;
}

7) Adjust firewall rules in case required

firewall-cmd --permanent --add-service=https && firewall-cmd --reload

8) Enable and start reverse-proxy service

systemctl enable nginx && systemctl start nginx

4.6. Document online editing service installation

NOTE: This component is optional and provides online editing capabilities for the office documents.

Steps below provide procedure on installing community version of the online editing service. 

Execute the following commands:

1) Install additional fonts set

dnf install liberation-fonts liberation-mono-fonts liberation-sans-fonts liberation-serif-fonts liberation-narrow-fonts open-sans-fonts abattis-cantarell-fonts dejavu-sans-mono-fonts dejavu-serif-fonts google-noto-emoji-color-fonts google-noto-sans-cjk-ttc-fonts google-noto-sans-gurmukhi-fonts google-noto-serif-cjk-ttc-fonts jomolhari-fonts julietaula-montserrat-fonts lohit-assamese-fonts lohit-bengali-fonts lohit-devanagari-fonts lohit-gujarati-fonts lohit-kannada-fonts lohit-odia-fonts lohit-tamil-fonts lohit-telugu-fonts paktype-naskh-basic-fonts sil-abyssinica-fonts sil-nuosu-fonts sil-padauk-fonts smc-meera-fonts stix-fonts thai-scalable-waree-fonts -y

And refresh fonts cache and update CollaboraOnline systemplate:

fc-cache -f -v

2) Binaries installation

Below community (CODE) version installation steps are provided. In case you have purchased a CollaboraOnline license - please refer to the steps provided in CollaboraOnline Portal.

Create CollaboraOnline CODE repo:

nano /etc/yum.repos.d/CollaboraOffice-CODE.repo

[CollaboraOffice-CODE]
name=CollaboraOffice-CODE
baseurl=https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-rpm
enabled=1

wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-rpm/repodata/repomd.xml.key && sudo rpm --import repomd.xml.key && rm -f repomd.xml.key
dnf install coolwsd CODE-brand

3) Edit configuration file and adjust lines as per provided samples below

NOTE: Installation steps provided below assume that HTTPS-connections are terminated by nginx reverse-proxy and forwarded to coolwsd via HTTP.

Make the following adjustments to the coolwsd.xml configuration file (for the listed below parameters only).

nano /etc/coolwsd/coolwsd.xml

<config>
    <!-- Optional: Add languages, e.g.: uk -->
    <allowed_languages desc="..." default="...">de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT uk ru</allowed_languages>

    <experimental_features desc="..." type="bool" default="false">false</experimental_features>
    <memproportion desc="..." type="double" default="35.0"></memproportion>

    <per_document desc="Document-specific settings, including LO Core settings.">
        <idlesave_duration_secs desc="The number of idle seconds after which document, if modified, should be saved. Disabled when 0. Defaults to 30 seconds." type="uint" default="30">0</idlesave_duration_secs>
        <autosave_duration_secs desc="The number of seconds after which document, if modified, should be saved. Disabled when 0. Defaults to 5 minutes." type="uint" default="300">0</autosave_duration_secs>
        <always_save_on_exit desc="On exiting the last editor, always perform the save, even if the document is not modified." type="bool" default="false">true</always_save_on_exit>

    <logging>
        <color type="bool">false</color>
        <file enable="true">
            <property name="path" desc="Log file path.">/var/log/coolwsd/coolwsd.log</property>

    <ssl desc="SSL settings">
        <enable type="bool" desc="..." default="true">false</enable>
        <termination desc=..." type="bool" default="true">true</termination>

	<storage desc="Backend storage">
        <wopi desc="..." allow="true">
            <alias_groups desc="..." mode="first">
                <host desc="elDoc Wopi host" allow="true">https://eldoc.domain.com:443</host>

    <admin_console desc="Web admin console settings.">
        <enable desc="Enable the admin console functionality" type="bool" default="true">false</enable>

    <quarantine_files desc="..." default="false" enable="true">
        <limit_dir_size_mb desc="..." default="250" type="uint">2048</limit_dir_size_mb>
        <max_versions_to_maintain desc="..." default="2" type="uint"></max_versions_to_maintain>
        <path desc="..." type="path" relative="true" default="quarantine">/local/cool/quarantine</path>
        <expiry_min desc="..." type="int" default="30">4320</expiry_min>

4) Edit service file

systemctl edit coolwsd.service

[Service]
ExecStart=
ExecStart=/usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/local/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd
ReadWritePaths=/local/cool /var/log/coolwsd

5) Create required folders and set permissions

mkdir /local/cool && mkdir /local/cool/quarantine && chown -R cool:cool /local/cool && chmod -R 770 /local/cool

6) Create logs folder

mkdir /var/log/coolwsd && chown cool:cool /var/log/coolwsd

7) Enable & Start service

systemctl daemon-reload && systemctl enable coolwsd && systemctl start coolwsd

8) Update Nginx rules

nano /etc/nginx/conf.d/eldoc.conf

Add the following lines in the server{} section in the bottom:

server { 
	location / {
        ...
	}

    # CollaboraOnline Config
    include snippets/coolwsd.conf;
}

Edit coolwsd.xml snippet configuration file to look as follows (leave only shown lines as per config below, replace http://localhost:9980 with http://127.0.0.1:9980):

nano /etc/nginx/snippets/coolwsd.conf

    # static files
    location ^~ /browser {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/cool/(.*)/ws$ {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/cool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

Restart nginx

systemctl restart nginx

10) Adjust elDoc configuration file

Make the respective adjustments in the eldoc.conf file as per example below:
wopi.host.discovery=http://127.0.0.1:9980
wopi.host.iframe=https://eldoc.domain.com:443

5. elDoc installation & configuration

1) Extract obtained elDoc distribution archive

Extract elDoc archive into /local/elDoc folder

2) Create user for running elDoc server

useradd -s/bin/bash -M -U eldoc
chown -R eldoc:eldoc /local/elDoc

NOTE: instead of the OS username eldoc you may use other options depending on the target environment, e.g.: eldoc for PROD, qa1 for QA, dev1 for DEV etc.

3) Edit elDoc configuration file in order to configure the elDoc system

nano /local/elDoc/eldoc.conf
chmod 600 /local/elDoc/eldoc.conf

NOTE: For the purpose of the secret keys generation which are used in the eldoc.conf file we recommend to use elDoc Cipher Tool located in the folder elDoc/bin/ciphertool.jar.

Use the following command to launch the tool in command line: # java -jar elDoc/bin/ciphertool.jar and get on-screen instructions on how to use the tool.

4) Edit elDoc system service file and replace respective parameters (e.g.: User=eldoc) where required

nano /local/elDoc/eldoc.service 

5) Install elDoc as a linux service

mv /local/elDoc/eldoc.service /etc/systemd/system/
systemctl enable eldoc

6) Adjust file attributes on the server launch script

chmod +x /local/elDoc/elDoc-server.sh

7) Start elDoc server

systemctl start eldoc

8) Initial login to the elDoc system and administrator user creation

In order to perform initial login to the elDoc system you need to enable "elDoc maintenance mode" via making the necessary adjustments in the eldoc.conf file. Once admin user is created in the elDoc system you need to disable the "elDoc maintenance mode".

9) elDoc configuration after first login

Make sure to complete elDoc configuration (via the Administration → Configuration page) after first login to the system.